Overview

overview

10

Static

static

5

4ccff951e3...4N.exe

windows7-x64

10

4ccff951e3...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ccff951e33a0013b5e6c71e0b9eedef2969c93ff299e559d2e56789bee4ed04N.exe

  • Size

    63KB

  • MD5

    6034c6da161f6f738c65b125552c5700

  • SHA1

    fbcf9e8ec5d7101f30c4231449124efdccb11200

  • SHA256

    4ccff951e33a0013b5e6c71e0b9eedef2969c93ff299e559d2e56789bee4ed04

  • SHA512

    78e00432994dff1258ce3338c3c867df89ac2eaae4d86e07c2df31152bc2117718313a74adeec678310cba161ae2d0337ef923e5a9c8125a48809fe26a2ff07e

  • SSDEEP

    768:jSxam3Usjr3REXXr8yxFChMp7v9DLKrzCnbcuyD7UVeQI5no1cAvcV4RP0U+t6K:jRsjdEIUFC2p79OCnouy8VDqAG4RsfUK

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ccff951e33a0013b5e6c71e0b9eedef2969c93ff299e559d2e56789bee4ed04N.exe
    "C:\Users\Admin\AppData\Local\Temp\4ccff951e33a0013b5e6c71e0b9eedef2969c93ff299e559d2e56789bee4ed04N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2372
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1708
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2808
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1736
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1916
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:236
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    63KB

    MD5

    6034c6da161f6f738c65b125552c5700

    SHA1

    fbcf9e8ec5d7101f30c4231449124efdccb11200

    SHA256

    4ccff951e33a0013b5e6c71e0b9eedef2969c93ff299e559d2e56789bee4ed04

    SHA512

    78e00432994dff1258ce3338c3c867df89ac2eaae4d86e07c2df31152bc2117718313a74adeec678310cba161ae2d0337ef923e5a9c8125a48809fe26a2ff07e

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    63KB

    MD5

    01ba78a29beaac7c694c3c9dbc3a1c8d

    SHA1

    bc71117f39f04cc723e25f1fad48ffa9ff539f71

    SHA256

    b0caedf03d611e4d623bedeb30cb18d3a7396f136962f05cd63befab64003d4a

    SHA512

    72208f2b12f7847ccc39117522de5df7d5890db46c1e09934ad16c38b6e01e5afbfd0822358480965e9828c20c47cf79979e65e622e5178573b18f813f8bac3d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    63KB

    MD5

    e5db5ad776b0a91aa883c927b017e4e4

    SHA1

    7fac729d8df695259d0d22d1bacf1016daafa683

    SHA256

    5a1ee5e6e40bd7fa4d83d60a519fe939e17b5d141a05467c1eef933b6d1c94e0

    SHA512

    ae886dec9a97575d446ce3ac15eb9b4bda5a342822019ebb5af1e2ed1f350200ba481a1b8fb0ded5fab2a27b569f14c9986917e0c3bac85d79fa4a1ef17b5766

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    63KB

    MD5

    188899b29c6fc50ef0297f4e6d6a22c5

    SHA1

    2d24800af529e06af1cfbbad68793c3340971757

    SHA256

    1458b6ae7d715b7f33ea9adef6bbe7201a6ec3db437ccc3f884868b81687bfe9

    SHA512

    de98628ca45748c71324f95f974d31bf99993b2a85d12b7b36e92f3bc1c91db9d6d0007f7f2ae0b18da02dd152429c0275071e521802153c7cfedd1f8e11cfc4

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    63KB

    MD5

    186945723977c0ea23cc2561890b611c

    SHA1

    25333690b7b4ffee409e894a5e8eea8e67009be2

    SHA256

    866122d6e95489da40c3a591ebd5746ed25319530e2731409e90c1c2ea1d1b3d

    SHA512

    5e459065760fae512f56a35cba7e1555eb9727f7bbdddc0a79e434533e9b8c0d36d08dcde84271a3f487a8bac9e0b8001fbc4099139c29a71282f200694bce67

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    63KB

    MD5

    5a95a2479e22c65979da6f51bbebc263

    SHA1

    4871afa8a5cc697e5469bff1693f4d876f7771db

    SHA256

    54d9ceb17dc06e2f14be4f67dc384f769e4453980a05dca63b9ee55e38348092

    SHA512

    afd9cf62b27b59193d3479e88e5b9c8ffb59453f9e6bdc18fcbfc8c6cfb06d08cba8ab138f726911ee048fa03031715454a135c45b19b10f48185c8dbe0cfdc7

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    63KB

    MD5

    6318ee68959dd15450e161991a4c88a4

    SHA1

    0650f94ae6da77e586986bf58fcab67c91ffd80c

    SHA256

    cf9039210fc8bf7d70612cb5127ad5a5ff3deffa75f687684ec50444350f9a7a

    SHA512

    37c2c7e0dcd312ec9ef0e9c1b193fdd4af7243f5ff89afee5ea96e9e803b17f9b7107daefda29749e2ba4aecad50228b42fd69ffe250a7bab2117521d3e51195

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    63KB

    MD5

    bd899ca95d400d47283a50c234d4610e

    SHA1

    dca47062cdbeac5d20306eff43e8edde5e4cea74

    SHA256

    5407788b2c792917db000594c5761e24246347d18e8d603fff0bc1cf17154f2f

    SHA512

    51de2d42ce18d7116e6c3b98d7ddf58bd6d3f241a9f22711fd966fb49debecd2cee09234e4de17e5bd58dbb39637be888c1073e9d9d084aa5eb1d8dcd32e0885

    Download Submit

  • memory/236-171-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1680-183-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1708-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1736-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1916-161-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-157-0x00000000025C0000-0x00000000025EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-132-0x00000000025C0000-0x00000000025EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-120-0x00000000025C0000-0x00000000025EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-108-0x00000000025C0000-0x00000000025EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2372-184-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2636-127-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2808-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download